On ZDnetAsiaa year ago, Howard Schmidt, who once was the cybersecurity advisorto the current Administration's, said: “In software development, weneed to have personal quality assurances from developers that the codethey write is secure.” .
Extending his logic, one would suppose that developers are alsopersonally responsible for bugs.
Personal responsibility has become more important here in the USA,now that the Sarbanes-Oxley Act requires companies' CEOs and CFOs topersonally certify their corporations' financial reports. The law wasenacted in response to a number of corporate accounting scandals whereexecutives hid behind the old “I'm only in charge of accounting so youcan't possibly expect me to know what's in the books” defense.
The government has exercised oversight over publicly-tradedcompanies since the formation of the Securities Exchange Commission in1934. There's no need for a software-version of a law comparable toSarbanes-Oxley as the Feds have no role in monitoring bugs or securityconcerns in commercial software.
Or does it? August 9 the Department of Homeland Security issued an advisory forWindows users to patch their systems now. Turns out the US-ComputerEmergency Readiness Team (US-CERT) is part of DHS, and was “establishedin 2003 to protect the nation's Internet infrastructure.”
It's not hard to see how zealous politicians could twist thatmandate into onerous legislation meant to safeguard computing,especially if some software disaster leads to mass chaos. Suppose theair traffic control system went down for a week, or banking code leftour accounts in shambles…surely Congress would react in its usualfashion.
Enter the Burns-Jefferson Act of 2007. Just a bit longer thanSarbanes-Oxley's 66 pages, the Act requires that all developers of anyprogram longer than 10,000 lines (5 lines if written in Basic)personally certify that their code is absolutely correct and completelysecure. Programmers who deliver buggy or insecure software can expectto spent 10-15 years in a federal prison and incur fines up to$250,000.
The law forms a new quasi-public corporation called the SoftwareCompany Programming Oversight Board which trains and certifies peopleto audit development strategies. These auditors, expected to berecruited from the surplus of agents left unemployed when TSA'sstandards were increased to require a high school diploma, will havewide-ranging authority to shut down any engineering team writing codethe auditors find “lacks a clarity of expression such that the auditorcannot completely understand its meaning, intentions andrepercussions.”
A standardized testing regime being developed by Halliburton willensure the Act's impact is equitable for firms large and small. Allsoftware will be subjected to exactly the same set of tests. Forinstance, it requires that every program must be able to open aspreadsheet in under one second, to, as the Act puts it, “insure thesecurity of the nation isn't compromised by consumers going postal overslow code.” When asked how a Z8-based TV remote control will openspreadsheets, a spokesman for the law's sponsors said: “We expect theinnovative spirit of American programmers will easily overcome anyminor technological issues.”
Another provision of the law creates a toll-free hotline foranonymous complaints from consumers who are unable to master anysoftware-based product. The operation of those 53 buttons on a videorecorder will have to be intuitively obvious. Tipsters will also reportbugs, crashes and other odd behaviors that result when they click onthe “free p0rn” pop-up from their unsecured browser.
The new law, of course, only applies to software written in theUnited States. Oddly, at the same time the law was signed by thepresident, the stocks of Tata Consultancy Services and 5 other largeoutsourcing industries in India quadrupled.
Jack G. Ganssle is a lecturer and consultant on embeddeddevelopment issues. He conducts seminars on embedded systems and helpscompanies with their embedded challenges. Contact him at . His website is .
Is it April in the US Capitol Hill or is this for real? But then again, either we do something about software quality or have someone else tell us how to. The auto industry was lucky to have Nader holding their collective scruff. We are heading towards politicians telling us what to do!
– kalpak dabir
Jack Replies Kalpak – to answer your question and a lot of email I'm getting, everything about the Burns-Jefferson act is tongue-in-cheek. There's no such act… let's just hope there never is!
Sounds more like a George Burns/Gracie Allen act to me.
It's true that developers of all sorts need to take personal responsibility for their products. Part of that would be to not participate in products beyond their skill level. Another part is to verify (through execution of a formal test procedure) that it meets design goals. Essential to that is the intended market – I write some software which is intended for use on intra-nets, not the Internet. It is the responsibility of the customers' IS depts to ensure that illegitmate requests are not made.
>From the legal side of things, I think that the EULA's for most software cover this:
– Andy Kunz
I'm very VERY glad I'm not a software developer working in america. I would never want to release any code. The ironic thing is, the bigger the program.. the more likely there are to be bugs. A program with less than 10,000 lines of code is likely to be easier to make bug free than a program with more than that.
I predict there will be a lot of programmers throwing away things like readability and maintainability of code in order to squeeze their code into under 10k lines.. I also predict that the obfuscated code contest will suddenly see many more entrants!
Also I feel sorry for Microsoft.. they will probably never release another operating system in the US if this came into force. Ah well, that's a shame
– Malcolm Humphrey
Hehe, good one, Jack. Thanks for starting my day off with a chuckle.
BTW, your article sheds some light on another good reason for exposing engineering students to the arts while in college – to recognize satire when they see it 😉
– Debi Cole
Great satire! You oughta get a spot on the Colbert Report! … well maybe not YAWWWWNNNNN!!!
Anywhooo…There are regulations in place on concerning safety and reliability…mostly in the medical devices field. Most of this was spurred on when a mishap with a radiation device occurred, in Canada I believe. A technician changed an entry in the patient database, and the bug accidentally fried the another patient that was undergoing the treatment for the machine.
As per usual, and on cue, the gov't Canadian, and US, promptly knee-jerked a bunch of regulations in!
I think that the standards organizations are really doing a fine job with making sure that a uniform set of operations are affected in the communications industries. Without this, things like Ethernet, and TCPIP would be very difficult to implement…
As to coding practices…well let me just say that everyone has an opinion on this one!
– Ken Wada
Not certified… no software development for you!
– Software Nazi
>Jack Replies: … everything about the Burns-Jefferson act is tongue-in-cheek. There's no such act…
Does the fact that you had to spell this out indicate one of the problems in the industry??
– Paul Connor
Jack, should the reader feel some Orwellian echo from your issue or US government has certain plans for populating Alaska with failed programmers? May be this is not sucn an absurd to exile engineers in a cold place – all we know about “subzero superconduct effect”. Remember that your major space rivals have sent their rocket creator Korolyov for a long creative trip to Cyberia. So, probably in your northern state programmers will think faster and sharper, thus will produce less buggy code in shorter deadlines. But one will ask her/himself what about the managers, decisionmakers and all those c- and o-s abbreviations? Where should they be send? So, we expect your next issue about them to have more Dante's style 😉
– Kolio Georgiev
Nice one, Jack.
When Burns-Jefferson comes in, the sycophants that pass for a government in Australia will inevitably 'us too' the deal – and hire on Halliburton to implement the whole kit 'n caboodle 'down under'.
The mind boggles at the number of Pollie-Jollies (fact finding missions) this will involve (Vegas, Aspen, Tahoe, Hawaii . . . )
Halliburton have already built and currently operate the rail link from Darwin to the Uranium mines and former Brit (Pommy) nuke test sites in South Australia – ready for all that nuclear waste that will inevitably be coming this way – so maybe the punishment for getting caught handling bad code will be 10 years hard yakka humping barrels that glow in the dark.
– Oz Waldo
Is there anything in the Burns-Jefferson Act of 2007 to cover documentation culpability?
– Peter House
Trying to pull a Jonathan Swift, are we?
Take it from your friendly neighborhood health care systems engineer: If youdon't police yourselves, someone else will do it for you. Reader's of Jack'scolumns are unlikely to the bad actors whosenegligence/incompetence/interest-in-stifling-innovative-competition could leadto cries for regulatory zealotry.
Swift's works didn't deliver their sting in a vacuum. Neither does Jack's.Today's dark humor could presage tomorrow's tears. Not only do you need to notshoot the messenger, you need to find and deliver a message regarding theunderlying issue to other than yourselves.
– Rick Schrenker
I was wondering, just how far the tongue was in the cheek.Anyone that didn't get “it” needs to read something other than techincal.Perhaps something light and fluffy like Fahrenheit 451 (Celsius 232.78 inthe metric world ;^) )
– Tim Flynn
66 pages of legalese would be how many lines of “code”? Software is planning and rules, whether written in “C++”, “Java”, “basic”, or some other language, and whether executed on a silicon machine or a biological mind. If we take a much broader view like that, can our lawmakers certify that their code is 100% bug-free, constitutionally consistent, and perfect? Hmmm… what board will certify “that”?… (Just a mind-teaser.) I enjoyed the article, Jack.
It seems that I read somewhere that small pieces of code can be tested logically for all possible inputs and outputs. With large conglomerations of code the number of possible inputs and outputs becomes (generally) intractible. So one testing strategy is to test all the small pieces individually and thoroughly.
There needs to be a way for programmers to really think through thoroughly the problem (and its environment) their program is trying to solve.
– Dallas Raty